Critical Infrastructure at Risk: Deconstructing the CISA AWS GovCloud Credential Leak

A profound security failure has surfaced involving the U.S. Cybersecurity and Infrastructure Security Agency (CISA), following reports that a third-party contractor inadvertently exposed highly sensitive AWS GovCloud credentials within a public GitHub repository. Disclosed by security researchers on May 15, 2026, the incident is being characterized as a high-severity data exposure due to the nature of the compromised administrative assets.

Technical Breakdown of the Data Exposure

The breach centered around a public repository titled “Private-CISA,” which was maintained by a contractor affiliated with Nightwing, a government services provider. Detailed analysis by researchers from GitGuardian revealed that the repository functioned less like a version control system and more like an unsecured storage bucket for highly sensitive operational data. The exposed assets included:

  • AWS GovCloud Access Keys: Credentials possessing administrative-level privileges.
  • Unencrypted Authentication Data: Plaintext usernames and passwords documented in CSV formats.
  • Session Tokens & Logs: Internal system tokens and authentication logs that could facilitate session hijacking.
  • DevOps Infrastructure Credentials: Access keys specifically targeting CISA’s software development lifecycle (SDLC) environments.

A critical file titled importantAWStokens was found to contain credentials providing direct access to at least three distinct AWS GovCloud environments. Furthermore, a file named AWS-Workspace-Firefox-Passwords.csv exposed login details for critical internal systems, including the “Landing Zone DevSecOps” environment.

Redacted screenshot of the Private CISA GitHub repository
A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor (Source: Krebs on Security)

Perhaps most concerning was the evidence of systemic bypasses in security protocols. The repository’s commit history indicated that the user had intentionally disabled GitHub’s native secret scanning protections—a feature designed to prevent exactly this type of accidental leak. This allowed sensitive strings to be pushed to the public domain without triggering automated alerts.

Additional technical lapses identified during the audit included:

  • The use of GitHub as a makeshift file synchronization tool between local devices.
  • The direct commitment of backup files and internal logs to a public repository.
  • The storage of passwords in plaintext, often following predictable patterns (e.g., [SystemName][CurrentYear]).

Philippe Caturegli, founder of Seralys, verified that several of the exposed AWS credentials remained active and functional during testing, granting high-level access to cloud resources.

File list from the Private CISA GitHub repository
The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources. (Source: Krebs On Security)

Caturegli also highlighted a massive supply chain risk: access to internal artifact repositories could allow a sophisticated actor to inject malicious code into software builds, effectively compromising the integrity of the tools CISA uses to secure the nation.

Timeline of Exposure

  • November 13, 2025: Initial repository creation.
  • May 2026: Public exposure identified by researchers.
  • Post-Disclosure: Repository taken offline; however, AWS keys reportedly remained active for approximately 48 hours following the removal.

CISA Response and Institutional Implications

According to reporting by Krebs on Security, CISA has acknowledged the incident and launched an active investigation. The agency maintains that, as of their current assessment, there is no definitive evidence that sensitive systems were successfully exploited by malicious actors.

Despite these assurances, the incident has reignited debates regarding CISA’s internal oversight capabilities. Recent reports suggest the agency has faced significant staffing reductions, losing nearly one-third of its workforce, which may have contributed to the lack of stringent contractor oversight and repository hygiene.

From a cybersecurity standpoint, this event serves as a stark reminder of how easily “minor” human errors can escalate into catastrophic risks. The ability for an attacker to move laterally through AWS GovCloud or manipulate the software supply chain represents a worst-case scenario for national security.

To prevent such breaches, organizations must move beyond basic security and implement a multi-layered defense-in-depth strategy:

  • Automated Secret Management: Utilizing dedicated vaults (such as HashiCorp Vault or AWS Secrets Manager) rather than local files.
  • Strict Repository Governance: Enforcing mandatory secret scanning and preventing the bypass of automated security hooks.
  • Principle of Least Privilege (PoLP): Ensuring that even if a key is leaked, its scope of influence is strictly limited.
  • Aggressive Rotation Policies: Implementing automated, frequent rotation of all high-value credentials to minimize the “window of opportunity” for attackers.

Related Articles

Back to top button